EU’s new data privacy regulation, and how it will affect rest of the world (Relevant for GS Prelims, GS Mains Paper II; IOBR)

A lot will change after the General Data Protection Regulation (GDPR) comes into force across Europe on May 25. While the regulation comes into effect across EU member states “to harmonise data privacy laws”, its impact will be felt across the world.

What is the regulation?Enacted in 2016, GDPR ensures data protection and privacy for all those living within the EU, and also prevents the export of personal data outside its territories. Simply put, it deals with three primary areas: personal data, consent for its use, and privacy by design. The EU defines personal data as all information “related to an identified or identifiable natural person”.

What is personal data?While a lot of this such as names, phone numbers and credit card information is clearly defined, there are grey areas where work timings, answers in a test, and even opinion can be defined as personal data.

Personal data processing on consentOn consent, GDPR states that processing personal data is “generally forbidden if it is not expressly allowed by law”, or the “impacted persons have not consented” to the data being used. Even the basic requirements of consent have been defined and “must be voluntarily granted”, that too after “sufficient information” is provided to the person involved.

Privacy by design The thought behind the concept of “privacy by design” is to ensure “data protection through technology design” — the idea that data processing procedures are best adhered to when they are integrated at the point at which the technology is created. The enactment of GDPR changes the game drastically for most Internet companies, which are fuelled in every sense by the data of users. From algorithms that define the product to business models that make them multi-billion-dollar entities, almost everything these firms do originates from the small bits of data they collect from users.

Possible implications for usersA lot of this data is offered voluntarily by users, but not always because they are fully aware of what data they are creating, what they are transmitting, and how it is used. If access to this data is capped, because GDPR will need users to give explicit consent to use their data, a lot of the products offered by these companies will not be as effective as they have been so far. The implications are still being understood and range from a lot of Internet services being off-limits for those under age 16 to the death of unsolicited marketing emails.

Challenge to companies

Over the last one month, Internet companies have been trying to comply with these new regulations, whether they like it or not. While Facebook CEO Mark Zuckerberg told the European Parliament this week that his company will be fully compliant by the deadline, it seems unlikely that other Internet companies will be fully GDPR-ready. This could potentially lead to a spate of litigation in the coming months.

However, what will worry companies across the world is GDPR’s push for the right of access, which gives users in EU the ability to ask for what information a company has about them. This can be followed through with requests for correction or even erasure. It is going to be a struggle for any company to comply with such requests, given that they will have such data across multiple servers in different geographies and varied formats.

For companies that have been stashing user data for decades, this is nothing short of a nightmare. On the flip side, the European data protection standards might end up becoming the default for the rest of the world as companies struggle with different policies for different geographies. Microsoft, for instance, has announced that it will “extend the rights that are at the heart of GDPR to all of our consumer customers worldwide”. If more companies follow suit, it will be good for consumers in countries like India, where user data is still up for grabs for the highest bidder.